Supervisory Scrutiny Turns to Intraday Risk

Transcription

1 promontory.com WINTER 2016 FEATURED ARTICLE: Supervisory Scrutiny Turns to Intraday Risk BY JEFF STEHM, YOKO OTANI, AND BILL RUTLEDGE ALSO IN THIS ISSUE: Developing a Sound Risk and Compliance Culture Scrutiny of Audit Committees Steadily Increases Banks Energy Lending Comes Under Review The New ORSA Regime for US Insurers: Report Preparation And Attestation

2

3 Contents FEATURED ARTICLE: 3 Supervisory Scrutiny Turns to Intraday Risk BY JEFF STEHM, YOKO OTANI, AND BILL RUTLEDGE Developing a Sound Risk and Compliance Culture BY SUSAN KRAUSE BELL Scrutiny of Audit Committees Steadily Increases BY JACOB LESSER, CONWAY DODGE, AND DIDEM NISANCI 23 Banks Energy Lending Comes Under Review BY JEFF GLIBERT 27 The New ORSA Regime for US Insurers: Report Preparation and Attestation BY LISA MEGEASKI WINTER 2016

4 Sightlines Promontory Financial Group Promontory Financial Group helps companies and governments around the world manage complex risks and meet their greatest regulatory challenges. We are a global leader in risk management, regulation, and compliance. Former U.S. Comptroller of the Currency Eugene A. Ludwig founded Promontory in Today, Promontory has offices throughout North America, Europe, Australia, and Asia, including the Middle East. Financial institutions and regulators look to Promontory to help develop and enhance compliance, governance, and risk management programs and controls, as well as to structure and implement forensic reviews. Promontory provides thorough, objective, and independent assessments of client issues and concerns, and provides solutions that meet regulatory expectations. EDITOR IN CHIEF Susan Krause Bell MANAGING EDITOR Todd Davenport CREATIVE DIRECTOR Robb Stout CONTRIBUTING EDITORS Conway Dodge Jeff Glibert Jacob Lesser Lisa Megeaski Didem Nisanci Yoko Otani Bill Rutledge Jeff Stehm Eugene A. Ludwig Founder and CEO, Promontory Financial Group To subscribe to Promontory s publications, please visit promontory.com/subscribe.aspx Global Headquarters th Street, NW Suite 1100 Washington, DC T F promontory.com Follow Promontory on 2016 Promontory Financial Group, LLC. All Rights Reserved. 2 PROMONTORY Sightlines WINTER 2016

5 Supervisory Scrutiny Turns to Intraday Risk BY JEFF STEHM, YOKO OTANI, AND BILL RUTLEDGE This article originally appeared as a Sightlines InFocus on December 16, Jeff Stehm Director Yoko Otani Managing Director Banks are generally accustomed to monitoring the traditional taxonomy of risks credit, liquidity, operational, market, legal, and reputational on a multiday or longer basis, but these risks can ripen within a single day in the payment and settlement process. Intraday risks can threaten a bank s ability to meet its obligations, or those of its customers, and expose it to significant credit losses, liquidity pressures, legal actions, and reputational problems. Supervisors in the years since the financial crisis are looking more and more closely at intraday risks, particularly banks ability to monitor intraday credit exposures and liquidity. Their scrutiny centers on reporting of intraday payment patterns, liquidity usage, and credit extensions, and they encourage intraday-liquidity stress testing as a way to measure and manage intraday risks, mitigate payment-system risk, and ensure the smooth functioning of the payment system as a whole. The supervisors are focusing their attention on banks with extensive retail and large-value payment operations, correspondent banks, and banks involved in clearing and settling foreign-exchange, derivatives, or securities transactions. Meeting these expectations requires sophistication in data aggregation and reporting, data analytics, stress testing, and risk management. Beyond satisfying supervisors, however, banks are likely to find that better intraday risk management and greater clarity about intraday flows help them do more for their customers at lower cost, and allow them to better assess the economics of customer and vendor relationships. Banks that invest appropriately may also benefit from: Lower usage of intraday credit lines and associated funding costs Better decision-making in forging correspondent-banking relationships Improved information for rationalizing and fine-tuning payment and settlement networks Value-added information and credit services for customers Improved data and internal systems serving multiple functions and business lines Supervisors are getting close to proposing new intraday risk requirements, and banking organizations are likely to find that marshaling the systems and resources necessary to improve their intraday risk management is a significant undertaking. The initial steps of this effort include formulating appropriate strategies for credit and liquidity management, establishing governance and project-management frameworks, identifying data sources and gaps, and creating prototypes of reporting and analytical tools. Bill Rutledge Managing Director Supervisory Expectations Supervisors believe that failure to manage intraday risk could result in a bank s inability to meet payment obligations for itself and its customers. The collective management of banks intraday risk profoundly affects the smooth functioning of payment and settlement systems. A key aspect of intraday risk is the management of intraday liquidity and associated implications for provision of intraday credit to clients and business lines to facilitate settlements. Expectations for managing intraday liquidity risk are not new. The Federal Reserve has a WINTER 2016 PROMONTORY Sightlines 3

6 long-standing policy governing banks daylight overdrafts on their Federal Reserve accounts. It requires banks seeking net debit caps from the Federal Reserve to assess, on a legal-entity basis, their intraday-funds management and controls, credit policies and controls covering customer activity, operating controls, and contingency procedures related to their intraday activities over U.S. payment systems. 1 This assessment requires banks to have a good understanding of their daily use of intraday liquidity, but allows them to use a sample period to determine peak and average use of intraday liquidity. Regular monitoring and reporting are not explicitly required. Supervisors have articulated additional standards in recent years, and now expect banks to have a much more detailed qualitative and quantitative understanding of intraday liquidity. The Basel Committee on Banking Supervision in 2008 issued 17 principles for sound liquidity risk management and supervision, 2 the eighth of which called on banks to actively manage their intraday liquidity positions and risks in order to meet their payment and settlement obligations on a timely basis under normal and stressed conditions. It also stipulated a number of qualitative elements banks should include in their overall liquidity-management strategy and capabilities: 3 Measurement of expected daily gross liquidity inflows and outflows and, where possible, anticipation of intraday timing of these flows Forecasts of the range of potential net funding shortfalls that might arise at different points during the day Monitoring of intraday liquidity positions against expected activities and available resources (balances, remaining intraday credit capacity, and available collateral) Funding arrangements to meet intraday objectives Management of collateral as necessary to obtain intraday funds Timing of liquidity outflows in line with intraday objectives Capacity to deal with unexpected disruptions Supervisors have subsequently sought a more quantitative picture of banks use of intraday liquidity across functions, currencies, and jurisdictions. The BCBS in April 2013 issued standards which complement the qualitative guidance in the sound principles for quantitative reporting intended to help supervisors understand a bank s intraday liquidity patterns in normal conditions. 4 Under these monitoring standards, banks must report a variety of metrics on a monthly basis to their supervisor. Calculating the metrics and analyzing underlying patterns will require a banking organization to collect and retain significant amounts of granular, transaction-level data, including opening balances, closing balances, transaction-level information on various credit and debit entries, timeof-day credit usage, and collateral available for intraday credit. The data must be in a form to be identified and sorted along several dimensions: Hourly time buckets within the day Currency Legal entity Payment/settlement system Correspondent Customer 1 Banks can receive de minimis intraday liquidity from the Federal Reserve without an assessment, but any substantial extension of intraday liquidity requires a self-assessed net debit cap based in part on an assessment of these controls. See Section VII, Self-Assessment Procedures, in the Guide to the Federal Reserve s Payment System Risk Policy on Intraday Credit. 2 See Principles for Sound Liquidity Risk Management and Supervision, Basel Committee on Banking Supervision, September U.S. banking agencies subsequently incorporated these qualitative elements into regulation and supervisory guidance. See Interagency Policy Statement on Funding and Liquidity Risk Management, Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corp., Office of Thrift Supervision, and National Credit Union Administration, March 17, 2010; OCC Handbook on Liquidity, June 2012; and Federal Reserve Regulation YY, Section (h)(3) for U.S. bank holding companies and Section (g) for foreign banking organizations, November See Monitoring tools for intraday liquidity management, BCBS, April PROMONTORY Sightlines WINTER 2016

7 BCBS Reportable Metrics Daily maximum intraday liquidity usage (all reporting banks maximum, second-maximum, third-maximum, and daily average values) Largest positive net cumulative position Largest negative net cumulative position Available intraday liquidity at start of day, broken down by: (all reporting banks minimum, second-minimum, third-minimum, and daily average) Central-bank balances Total credit lines available Collateral pledged to central bank - Of which secured Collateral pledged to ancillary systems - Of which committed Unencumbered liquid assets Balances with other banks on a bank s balance sheet Other Total payments (all reporting banks maximum, second-maximum, thirdmaximum, and daily average values) Gross payments sent Gross payments received Total value of time-specific payments (all reporting banks maximum, second-maximum, third-maximum, and daily average values) Total gross value of payments made on behalf of correspondent-banking customers (banks providing correspondent services maximum, second-maximum, third-maximum, and daily average values) Intraday credit lines extended to customers (banks providing correspondent services maximum, second-maximum, third-maximum, and daily average values) Total value of credit lines extended to customers - Of which secured - Of which committed - Of which used at peak usage Intraday throughput (banks that are direct participants in large-value payment systems) WINTER 2016 PROMONTORY Sightlines 5

8 Banks face the added challenge of identifying and reporting two subsets of payment activity. When reporting daily gross payments sent, banks must identify the total value of the subset of payments made each day to settle time-specific obligations. Identifying such payments within a bank s overall payment flows may be particularly challenging. For instance, settlement payments for financial market infrastructures, such as CLS or a central counterparty, readily fall into this subcategory, but other time-critical payments such as payments an issuing and paying agent bank makes on behalf of bond issuers do not fall neatly into this category. Neither regulators nor the industry has reached a wider understanding or accepted market convention for what constitutes a time-critical payment. Banks that provide correspondent-banking services will need to identify the total value of the subset of all payments made on behalf of their correspondent customers and, in conjunction with these payments, the value of intraday credit lines extended to customers and the peak usage of those lines during the month. The monitoring standards also identify four stress scenarios that banks should consider, in consultation with their supervisor, to assess potential impacts on intraday liquidity: Own financial or operational stress Stress that prevents a counterparty from making payments Customer bank s stress Marketwide credit or liquidity stress Banks are not expected to regularly report to their supervisors their assessments of stress scenarios on intraday liquidity, but they are expected to discuss with their supervisor how they would address any adverse impact through either their contingency planning or their framework for managing intraday liquidity risk. Most national regulators have not yet implemented these standards, and it is unclear how they will do so. 5 Bank supervisors in the U.S. are currently working to specify reporting requirements applicable to U.S. banks. Although U.S. supervisors will likely apply the requirements to the largest internationally active U.S. banks, what is not clear is how U.S. supervisors might apply the requirements beyond the largest U.S. banks. U.S. supervisors will also need to establish materiality thresholds for reporting by currencies, systems, and correspondent customers; and clarify a number of definitions. Finally, they will need to align requirements for intraday liquidity reporting with other regulatory requirements, such as the liquidity coverage ratio and Comprehensive Liquidity Assessment and Review. 6 U.S. supervisors are expected to propose implementation requirements for public comment in early The BCBS standards are intentionally broad and high-level in several respects, to accommodate expectations that vary by jurisdiction. Material differences such as a lack of standardized data requirements and varying implementation time frames will create additional challenges for cross-border banking groups. 7 5 The standards are effective Jan. 1, 2015, but national supervisors may consider phasing in compliance, preferably no later than Jan. 1, National supervisors may also decide to broaden coverage to other banks in their jurisdictions. U.S. regulators have not yet determined an implementation date. Some countries notably the United Kingdom, Netherlands, Australia, and China already have an intraday-monitoring framework in place. 6 The Comprehensive Liquidity Analysis and Review is a supervisory exercise conducted by the Federal Reserve to assess whether banks have sufficiently liquid balance sheets and proper risk management procedures to access funding during adverse periods. 7 For example, see Implementation Challenges, Outstanding Issues and Recommendations Regarding the Basel Committee Monitoring Tools for Intraday Liquidity Management, Bankers Association for Finance and Trade, the Institute of International Finance, and the Clearing House, June PROMONTORY Sightlines WINTER 2016

9 Data and Reporting Challenges Any proposal for implementing new requirements for intraday liquidity monitoring in the U.S. will likely adhere to the BCBS monitoring standards. Complying with the BCBS monitoring standards will be a significant challenge for banks that requires system enhancements to allow for the collection, retention, and analysis of transaction-level data on beginning and ending account balances and intraday account debits and credits. Banks must also identify transaction-level data with the appropriate counterparty, legal entity of the bank, settlement value and currency, time-stamp information, and execution venue. The transaction-level data must be consistent with any intraday credit lines used or extended when processing payment transactions including collateral and pledging details, if such lines are secured. For most banks, the most demanding elements of this effort are likely to involve: Identifying and accessing data at the appropriate level of granularity. In most banks, myriad product systems and business lines generate payment flows, complicating data identification and aggregation. The good news is these flows typically funnel into a relatively small number of key payment mechanisms that provide a useful starting point for tracing flows back to the source product systems and business lines. Collecting data in a central, usable intraday-liquidity database. Necessary payment and collateral data exists in differing formats internal accounting data, SWIFT messages, local payment-system formats, and varying formats for correspondent banks, custodians, and securities depositories requiring substantial effort in interpreting, harmonizing, categorizing, and aggregating data. Aggregating transactional activity from different payment mechanisms to determine intraday positions over some time period will require large transactional data sets. Interpreting and categorizing the data accurately for reporting and analytical purposes. Deriving insight for risk management from the data will require tracing at least the largest flows from product- and business-line sources to external payment and settlement systems in order to understand the business lines driving payment flows and their intraday and interday patterns. Two of the most difficult metrics will likely be the daily maximum intraday-liquidity usage by the bank and aggregate usage of intraday credit lines extended to customers. Determining the daily maximum usage of intraday liquidity will require banks to collect time-stamped transaction-level information on all payments made and received during each hour of the day over the settlement account for each payment system and correspondent by currency, calculate the net position in each hour, and identify the largest net positive and negative positions during the day. The largest net positive and negative positions for each day will then need to be accumulated for each month in order to identify the three largest net positions each month and calculate an average of the net positions. The Basel Committee s 2013 standards for monitoring intraday liquidity are shaping up to be a key reporting challenge for banks. WINTER 2016 PROMONTORY Sightlines 7

10 Banks will also need to track amounts of intraday credit lines extended to customers and report monthly the three largest, as well as their peak usage and whether they are secured or unsecured. It will be no simple task to aggregate customers use of intraday liquidity across currencies and locations, especially if credit lines are managed locally. Banks will have to use the data they amass for purposes that go beyond regulatory reporting for example, using the data for analytics, carrying out intraday liquidity stress tests, and developing effective intraday liquidity risk management programs that integrate first- and second-line reporting needs. In order to analyze intraday patterns over time and in varying market conditions, banks must build data sets that provide real-time and historical intraday information across customer accounts, products, and business lines. Firms will also need flexible and interactive analytical tools that enable business and risk managers to drill down into time frames and transactions driving intraday liquidity usage and conduct stress tests against a variety of scenarios. Practical Considerations for Boards and Senior Management Given the complexities of collecting and reporting intraday liquidity information, any U.S. monitoring requirements will likely be phased in over time. Key aspects of the U.S. proposal that merit consideration and comment by banks include: Scope. What institutions, currencies, and transactions (e.g., reporting categories and reporting thresholds) are covered? Effective dates. Is the time frame sufficient to allow for necessary data and system changes and will certain requirements be phased in? Definitions. Are key terms clear and defined in a manner that can be easily applied? Alignment. Are proposed U.S. reporting requirements conflicting or mutually exclusive with those of other jurisdictions? Banks are likely to coordinate comments through industry groups, but each bank will need to consider its unique circumstances and business model to assess the impact of any proposal on its operations and may want to submit individual comments. The complexity of the effort argues against waiting for regulators to finalize requirements. The first step is an appropriate governance and project-management structure which will, at a minimum, involve treasury, credit-risk, correspondent-banking, and operations. Intraday liquidity monitoring warrants its own project-management structure, but the structure should be closely aligned and integrated with the bank s larger data-governance and reporting efforts such as those devoted to compliance with the BCBS principles for aggregating and reporting risk data. 8 Board directors and senior management should also consider strategies for short-term compliance with the monitoring standards (2016 and 2017) and determine how those efforts will fit into a longer-term strategy around intraday liquidity management. An institution s intraday-liquidity strategy should be well integrated into its larger strategy for liquidity risk management, data governance, and risk-data aggregation and reporting. A comprehensive strategy and reporting consistency at global and local levels will avoid multiple implementation efforts across different entities within a group. The strategy should also 8 See Principles for effective risk data aggregation and risk reporting, BCBS, January 2013, and Better Risk Data: Regulatory Mandate and Strategic Opportunity, Ray Strecker, Yoko Otani, and Stacy Coleman, Promontory Sightlines, June 30, PROMONTORY Sightlines WINTER 2016

11 Banks that lack a reasonable approximation of the required information already available will learn much about their intraday risk and have the opportunity to reexamine their risk appetite, counsel key customers on how to manage their own intraday liquidity, and possibly find new revenue opportunities. align information around a defined, common view of risk information between business lines and the risk management function. That alignment will support front-line units as primary owners of risk, optimize reporting, simplify risk management discussions, promote effective challenge, and lower costs. Practical strategies on intraday liquidity focus on achieving compliance with the monitoring standards in the short term, while following a broad longterm strategy for improving intraday liquidity management and the payment, clearing, and correspondent businesses. An initial evaluation of data gaps and data sources, both internal and external, will help identify data requirements, determine how data might be accessed and collected, and identify issues around data formats and aggregation. This effort requires time and significant outreach and coordination across functions, business lines, legal entities, external payment systems, and correspondents in all relevant jurisdictions. 9 Three interrelated themes transactions involving cash movements, collateral transactions, and intraday credit use and provision can help organize these efforts and support an approach that focuses initially on a bank s largest intraday flows by system, correspondent bank, and currency. The evaluation will also show which existing infrastructure and data formats banks can use in building their central database on intraday liquidity. Banks likely to be subject to the final supervisory guidance may also opt to start building prototypes and tools to meet the eventual reporting requirements. The monitoring standards include annex material showing worked examples, and using these examples and industry resources 10 can help banks come close to meeting the substance of the reporting requirements even if some adjustments and reformatting are required in later regulatory submissions. Banks that have already developed solid information on their intraday risks for their own management will likely not find this effort burdensome. Banks that lack a reasonable approximation of the required information already available will learn much about their intraday risk and have the opportunity to reexamine their risk appetite, counsel key customers on how to manage their own intraday liquidity, and possibly find new revenue opportunities. Banks should also consider how to structure analytical tools to make the best use of intraday data for stress testing, liquidity management, and business purposes. Data architecture and data quality will be critical in this regard. 9 A group of global and regional banks and global broker-dealers, with the support of SWIFT, developed an intraday liquidity reporting rule book aimed at creating and supporting the adoption of common industry business practice for intraday liquidity messaging. 10 Ibid. WINTER 2016 PROMONTORY Sightlines 9

12 Conclusion Supervisory requirements for intraday liquidity will likely evolve and become more closely integrated with broader requirements for liquidity risk management, risk-data aggregation, stress testing, and recovery planning. Banks should take a long-term, strategic view on compliance with the BCBS standards for intraday liquidity monitoring. Implementation may present challenges and incur costs in the short term, but banks can reap substantial business benefits from it. Better intraday risk management helps banks deliver better services tailored to specific business lines and customer relationships and accurately assess the economics of these relationships. Improved intraday data helps optimize credit-line allocation and extensions of intraday credit, reduce costs and risks associated with payments and the use of correspondents and custodians, and strengthen overall liquidity management. Other potential benefits include lower usage of intraday credit lines and associated funding costs; better decision-making on commercial terms for correspondent-banking relationships; improved information for rationalizing and fine-tuning a bank s payment and settlement networks; and value-added information and credit services for payment, settlement, and correspondent-banking customers. Finally, multiple functions and business lines such as treasury, cash management, custodial services, risk management, resolution planning, and business continuity will make use of investments in improved data and internal systems to deliver enhanced, information-rich services. These potential benefits argue for early compliance with the BCBS monitoring standards as part of a longer-term, integrated business strategy for harnessing enhanced risk data. ABOUT THE AUTHORS Jeff Stehm is a director at Promontory and advises clients on matters related to payments and financial market infrastructure. He served for more than three decades with the Federal Reserve Board, where he was responsible for policy, supervisory, and regulatory matters related to intraday credit and systemically important financial market infrastructures. Yoko Otani is a managing director at Promontory and advises clients in risk and compliance matters, including asset-liability and liquidity risk management issues, and helps integrate strategic and regulatory objectives. She has more than 20 years of experience in the financial services industry as a banker and specialist in corporate treasury. Bill Rutledge is a managing director at Promontory and advises major U.S. and foreign banking organizations on risk management, governance, and supervisory issues. He served a distinguished career in bank supervision at the Federal Reserve and has extensive international policy experience, including membership on the Basel Committee on Banking Supervision and chairmanship of the Senior Supervisors Group. 10 PROMONTORY Sightlines WINTER 2016

13 BY SUSAN KRAUSE BELL Developing a Sound Risk and Compliance Culture This article originally appeared as a Sightlines InFocus on October 14, Susan Krause Bell Managing Director Seven years after the financial crisis and five years since the Dodd-Frank Act s passage into law, supervisors expectations are still rising. In addition to the numerous new or strengthened regulations emerging in the wake of the crisis, regulators are increasingly talking about problems with financial firms culture of risk and compliance. The emphasis on risk culture is motivated, in part, by recent high-profile conduct missteps at several large banks, lapses that occurred in spite of the significant strengthening of prudential standards. It also reflects a long-standing and consistent regulatory focus on sound and sustainable risk management practices. That regulators expect banking organizations and other financial institutions to have effective governance, risk management, and compliance programs is nothing new. What discussions of risk culture add to the mix is a sharper focus on whether the company s employees demonstrate the behavioral norms and attitudes that align with the risk appetite and other governance and risk management policies that management has adopted and the board has approved. If this is not the case, the approved policies are not likely to be implemented as intended, leading to ineffective risk management and possible missteps that may be costly to the banks and their shareholders, and potentially harmful to the public and broader financial system. While conceptually not difficult to understand, risk culture is not easily observable or measurable, particularly in large organizations where subcultures often exist. Knowing whether an effective risk culture exists within an organization, what steps to take to improve it, and when to do so can be somewhat baffling. The issue becomes less daunting if one looks at culture as a prerequisite for effective risk management. Behaviors, attitudes, and incentives that are aligned with a financial company s risk policies are just as important to effective risk outcomes as are, for example, comprehensive, well-governed risk data, or robust internal controls. Focusing on risk culture may become more tractable and its value better appreciated if it is viewed as an essential element of an effective and sustainable independent risk management program. Risk Culture s Rising Prominence The Financial Stability Board issued the first official policy focused on risk culture with its April 2014 guidance to supervisors on how to evaluate risk culture at financial institutions. 1 Since then, U.S. supervisors have only addressed risk culture in a limited way in official guidance or regulations. The Office of the Comptroller of the Currency included references to risk culture 1 See for more information, see Spotlight Turns to Risk Culture, Promontory Sightlines InFocus, March 2014, RiskCulture%20FINAL.pdf. WINTER 2016 PROMONTORY Sightlines 11

14 While the cadence and intensity of the supervisory response will be influenced somewhat by the extent to which conduct problems continue to arise at financial firms, the supervisory concerns reflected in the culture discussions are likely to have a long life. when it finalized its heightened-standards guidance in September Specifically, a bank covered by the standards must include a qualitative description of a safe and sound risk culture in its risk-appetite statement. Many institutions have also found that examiners often point to culture as a weakness if they conclude risk or compliance functions are not working well. U.S. regulators have also been vocal on the subject in speeches and meetings. Federal Reserve, OCC, and Securities and Exchange Commission officials have made numerous speeches that emphasize sound risk culture, effective compliance programs, and the importance of ethics and are expected to continue to do so. The Federal Reserve hosted a workshop last year on culture for large-bank chief executive officers and has another scheduled this November. A similar chorus can be found among regulators in the U.K., Canada, Europe, and Australia. Notably, the Basel Committee on Banking Supervision s recently updated guidance on corporate governance mentions risk culture frequently, including as a key component of risk governance. 2 There have been private-sector efforts as well to bring attention to the importance of risk culture, including from academia, advisers, and industry associations. Regulatory forays into risk culture can be expected to continue, both through the bully pulpit and written rules and guidance. Supervisors of individual institutions can also be expected to continue their focus on cultural weaknesses through the examination and enforcement process. While the cadence and intensity of the supervisory response will be influenced somewhat by the extent to which conduct problems continue to arise at financial firms, the supervisory concerns reflected in the culture discussions are likely to have a long life. In what follows, we offer some practical ways for directors and management to consider the issue of risk culture at their institutions and potential steps to take to ensure that the firm s culture adequately supports sound risk management and compliance. Building Blocks of Risk Culture The cornerstone of an effective risk culture is a well-designed architecture for risk and compliance management. Additional building blocks provide focus on achieving the behaviors and attitudes needed to ensure the programs work as intended and are sustainable. 1. Robust risk and compliance programs First and foremost, a banking organization must have an independent risk management framework that includes a board-approved risk-appetite statement and policies and 2 Corporate-governance principles for banks, Basel Committee on Banking Supervision, July PROMONTORY Sightlines WINTER 2016

15 procedures for enterprisewide risk identification, measurement, management, and control. At the highest level, the framework should: Establish accountability and clarify roles and responsibilities for managing risks in all three lines of defense Include oversight, governance, and reporting protocols Ensure that information and risk-measurement systems support meaningful, timely risk reports Ensure robust controls and independent testing The basic design elements of the risk and compliance framework must also address the behaviors and attitudes needed to align with and support the risk-appetite statement and risk and compliance policies. These include initiatives to: Define the desired behaviors and attitudes that are required in all three lines of defense to effectuate and adhere to the firm s risk-appetite statement Foster compliance both in spirit and letter of the requirements Require firmwide training on risk management policies, roles, and responsibilities, covering not only what is required, but why it is required Institute a process to investigate adverse risk events when they occur to ascertain their causes such as drivers rooted in culture and behavior and make appropriate changes 2. Stature of risk and compliance personnel Risk and compliance personnel must have the authority, expertise, and influence to carry out their responsibilities to implement risk management and compliance policies, independently assess risk, and challenge business decisions when necessary. Respect within the organization for the role of the second line of defense including the role of challenge is an essential component of an effective risk and compliance culture. Without it, business decisions may be too heavily driven by short-term revenue considerations, regardless of what written policies require. 3. Structures for effective communication and challenge The risk management framework should provide regular opportunities for communication about risk issues, and constructive challenge of reports, initiatives, and decisions by applicable stakeholders. For example, a risk-committee hierarchy should include a board risk committee, a top-tier enterprise-risk committee, and risk committees within the business lines and in the second-line departments, as appropriate. A number of policies and processes should create avenues for effective communication and challenge. Examples include risk policies such as those governing regular risk assessments, new-product review processes, stress testing, and the like. In addition, the risk-appetite statement should provide a framework for the board to question senior management about appropriate risk-taking. Even reports from the business lines, such as revenue growth from individual product lines, should be subject to constructive questioning to ensure that potential emerging risks are identified. 4. Incentive structure to reinforce risk-appetite and compliance imperatives Incentive compensation and performance-review standards should be aligned with the organization s risk objectives and not favor short-term revenue generation over long-term WINTER 2016 PROMONTORY Sightlines 13

16 risk concerns. Performance development and promotions should incorporate risk management and compliance considerations. Compensation policies have a significant influence over behaviors and can be a powerful tool in achieving risk and compliance objectives. 5. Leadership: board and management The board and management have an important role in setting, communicating, and modeling the firm s strategy, core values, risk appetite, and risk framework. Employees are highly influenced by what they perceive as their own managers expectations, which gives all levels of management a powerful role in shaping the culture of a company. The board has an important role in: Ensuring adequate resources are available for risk and control functions Approving the risk appetite Scheduling adequate agenda time for risk and compliance issues Approving compensation policies that align incentives between risk control and revenue Executing effective challenge of each other and of management Management has a particular role in: Promoting risk awareness and encouraging an open and constructive dialogue about risk-taking throughout the organization Demonstrating through their actions their own commitment to the organization s risk and compliance objectives Ensuring that risk committees receive adequate information and discussion about risks, encourage challenge, and escalate risk issues as necessary Ensuring employees in the first and second lines of defense understand their risk management roles and responsibilities and are held accountable for carrying them out 6. Linking business success with core values and effective risk and compliance practices Employees should understand what behaviors are expected of them and how these behaviors will help them, and the organization, succeed. Employees must understand the objectives of the risk-appetite statement, and the risk and control functions, and how those elements help the bank survive through normal and stressful times. This message should be conveyed through training and by all levels of management on an ongoing basis. 7. Monitoring and reinforcing an effective risk culture Finally, a risk culture, no matter how good at a point in time, is vulnerable to drifting off track. Management should monitor risk culture over time. While culture can be difficult to measure in an absolute sense, management can tailor indicators consistent with the institution s risk appetite, agreed norms, and acceptable behaviors to signal improvements or potential problems in risk culture. These indicators can include survey results, audit response times, performance-review trends, and similar gauges of risk culture. Particular attention should be given to an individual firm s areas of vulnerability. For example, a large bank may need to closely track far-flung or specialty offices where rogue cultures may emerge, or newly acquired businesses where the firm s risk appetite and culture may be less well understood. Similarly, businesses undergoing significant growth or facing other structural pressures and changes may be vulnerable to changing culture. Adjustments can and should be made over time as weaknesses are identified. 14 PROMONTORY Sightlines WINTER 2016

17 BUILDING BLOCKS AND GAPS OF RISK CULTURE Building Blocks of Risk Culture Potential Gaps Robust risk and compliance programs Is the risk framework fully implemented throughout the organization? Is there a well-communicated and monitored code of conduct? Do employees generally know the defined risks and acceptable tolerances of the company? Do all applicable employees understand what the risk and compliance programs expect of them? Is there a practice of pinpointing root causes of adverse risk or compliance events, and implementing lessons learned? Stature of risk and compliance personnel Does the chief risk officer have regular access to the board risk committee and CEO? Does business management visibly seek the views of risk or compliance employees on strategic issues, well before decisions are final? Do risk and compliance employees have access to updated information and training to align with developments in the businesses? Structures for effective communication and challenge Is challenge encouraged by the board and various levels of management? Is constructive challenge included in training courses? Incentive structure to reinforce risk and compliance objectives Does the incentive compensation scheme properly balance revenue goals with risk controls? Are inappropriate attitudes and behaviors toward risk and compliance reflected in compensation? Is there a clawback provision or other mechanism to reflect results over the longer term in compensation? When there are risk failures, are appropriate personnel held accountable, including business leaders? Leadership: Board Do board and board-committee meeting agendas and minutes reflect active board oversight of risk and control issues? Is the information the board receives on risk and compliance comprehensive, clear, and digestible? Leadership: Senior management Does senior management communicate regularly with employees outside of their normal chain of command? Do senior managers, including business leaders, regularly express their commitment to a robust second line of defense? Leadership: Front line Do managers in front-line units actively demonstrate and communicate to employees the expected behaviors and attitudes related to risk-taking decisions and compliance standards? Linking business success with core values and effective risk and compliance practices Maintaining an effective risk culture over time Do employees understand why the risk and compliance policies are critically important to the organization s stability and customer and investor well-being? For systemically important financial institutions, do employees understand how the risk and compliance policies are important to financial-market stability? Have the board and management considered what cultural vulnerabilities the firm may have and taken targeted steps to address them? Are metrics being tracked to shed light on cultural differences across the organization and possible drift in culture? Is training linked to metrics, lessons learned, and similar ongoing feedback about the firm s culture? Is risk training included in the onboarding process? WINTER 2016 PROMONTORY Sightlines 15

18 Determining Potential Steps to Improve Risk and Compliance Culture As noted earlier, risk culture must be firmly rooted in well-designed risk and compliance programs, and can make the difference between a risk and compliance program that works and one that does not. Financial institutions can use the building blocks to reflect on the current state of their risk culture, and what steps might need to be taken to address gaps. The table below provides some questions that can guide institutions in these considerations. Conclusion Financial institutions that want sustainable, effective risk and compliance programs must consider, on an ongoing basis whether the institution s culture aligns with the objectives of those programs. Taking steps where needed to improve risk and compliance culture can reduce losses, and save reputational and regulatory missteps. ABOUT THE AUTHOR Susan Krause Bell is a managing director at Promontory, where she advises clients on regulatory issues, including the Dodd-Frank Act and Basel capital rules, and supervisory priorities, including enterprise risk management and corporate governance. She also assists financial institutions in managing and implementing regulatory directives. 16 PROMONTORY Sightlines WINTER 2016

19 Scrutiny of Audit Committees Steadily Increases BY JACOB LESSER, CONWAY DODGE, AND DIDEM NISANCI This article originally appeared as a Sightlines InFocus on October 7, Jacob Lesser Director In recent years, the audit committee has taken its place as a critical component of effective corporate governance. Though its roots can be traced to the 1970s or earlier, this evolution accelerated in 2002 with the enactment of the Sarbanes-Oxley Act, which made the role of a public company s audit committee a matter of federal law. The audit committee has steadily grown in importance since then, and members now face responsibilities that can be difficult to fulfill and carry consequences for the failure to do so. These tougher expectations have been articulated in: Securities and Exchange Commission enforcement actions against audit-committee members Public debate over mandatory audit-firm rotation Shareholder debates and activism in audit-related areas Calls to expand the disclosure requirements of audit committees Outreach to audit committees by the Public Company Accounting Oversight Board 1 In light of the increased scrutiny, members of audit committees should have a firm grasp of their increasing responsibilities as a first step in meeting them. The Regulatory Framework Conway Dodge Managing Director Didem Nisanci Managing Director Sarbanes-Oxley sought to enhance auditor independence by imposing new requirements on audit committees. The law requires the audit committee to be directly responsible for the appointment, compensation, and oversight of the company s outside auditor. 2 This effectively shifted these responsibilities from the chief financial officer to a committee of independent directors. It also mandated that audit committees preapprove all audit services and permissible nonaudit services, and required auditors to report certain matters to the audit committee, such as the company s critical accounting policies. The PCAOB has adopted further requirements aimed at facilitating the audit committee s required oversight. These include Rule 3526, which requires an auditor to describe to the audit committee all relationships with the client that may reasonably be thought to bear on independence, and Auditing Standard No. 16, which requires auditors to communicate with the audit committee about audit strategy, significant risks, and audit results, among other things. 1 See PCAOB, Audit Committee Dialogue (May 2015), available at 2 Sarbanes-Oxley Act Section 301 (requiring the SEC to direct national securities exchanges and national securities associations to include certain audit-committee requirements in their listing standards). WINTER 2016 PROMONTORY Sightlines 17

20 Nine Questions for Audit-Committee Members 1. Have you analyzed your company s employee-confidentiality provisions for compliance with the Dodd-Frank Act s whistleblower protections? 2. What is your process for overseeing the external auditor s work, and how effective is it? 3. Do you receive sufficient information from the auditor to carry out your oversight responsibilities, including the communications required by Auditing Standard No. 16 and PCAOB Rule 3526? 4. What are your policies and procedures for appointing or retaining the auditor, and how do you ensure a rigorous evaluation of auditor independence? 5. Do you have a policy regarding audit-firm rotation or audit retendering? 6. What is your process for approving nonaudit services? 7. Does the committee possess the necessary skills and expertise? 8. Has there been an evaluation of the audit committee s effectiveness (pursuant to NYSE listing standards or otherwise), and have any identified problems been remediated? 9. Are you exercising your authority to retain advisers as necessary, particularly as workloads expand and regulatory and enforcement activity increases? In addition to overseeing the company s relationship with its external auditor, the audit committee is responsible for other, key aspects of the financial-reporting process. For example, Sarbanes-Oxley requires the audit committee to establish a procedure for confidential, anonymous complaints by employees regarding accounting and auditing concerns. Securities and Exchange Commission rules also require public companies to disclose a significant amount of information about their audit committees, including whether the company has at least one audit-committee financial expert, and if not, why not. Audit committees also oversee companies internal audit function. That can be particularly time-consuming in some industries banking, for instance in which internal audit is itself subject to extensive regulatory obligations. 3 The Current Environment EXPANDING AUDIT COMMITTEE WORKLOAD AND INCREASED SEC ENFORCEMENT ACTIVITY Recent years have seen a noticeable increase in the audit committee s workload and sphere of responsibility. According to one survey, 74% of audit-committee members believe that the time required to carry out their responsibilities has increased moderately (51%) or significantly 3 See, e.g., OCC Guidelines Establishing Heightened Standards, 18 PROMONTORY Sightlines WINTER 2016

21 (23%) in the past two years, while almost half said that their role as audit-committee members has become increasingly difficult. 4 At the same time, the SEC has pursued enforcement actions involving audit committees. In September 2015, the SEC determined that an audit-committee chair caused his company s proxy and reporting violations by signing SEC filings that failed to fully disclose executive perquisites. The audit-committee chair paid a $30,000 penalty to resolve the claims. In March 2014, the SEC charged an audit-committee chair with securities fraud after he allegedly took steps to avoid or delay disclosure of a massive accounting fraud involving his company s Chinese operations. In a settled case filed that same month, the SEC charged the chair of another company s audit committee with causing the company s reporting violations by signing its Form 10-K even though she knew that it contained a false Sarbanes-Oxley certification. A case settled in April 2015 may also have implications for audit committees, though audit-committee members were not charged. In that matter, the company required witnesses in internal investigations to sign a confidentiality agreement prohibiting them from discussing their interviews with anyone absent prior authorization. The SEC charged the company with violating the Dodd-Frank Act s whistleblower-protection provision, which prohibits any action to impede an individual from communicating directly with SEC staff about a possible securities-law violation. Audit committees may want to review their companies whistleblower procedures in light of this case. 5 OVERSIGHT OF THE AUDITOR AND AUDITOR INDEPENDENCE Beyond enforcement, regulators continue to focus on auditor independence and the audit committee s responsibility for it. In 2011, the PCAOB issued a concept release considering the effects of tenure on auditor independence, and questioning whether term limits should be imposed. While it does not appear that the PCAOB will act to require mandatory audit-firm rotation in the U.S., 6 the concept release set off a public debate about how best to safeguard independence in a system in which auditors are paid by the companies they audit. Much of that debate has focused on the audit committee s obligation, post-sarbanes-oxley, to evaluate the auditor s independence and make any necessary auditor changes. Since 2003, New York Stock Exchange listing standards have included commentary suggesting the audit committee should consider whether, in order to assure continuing auditor independence, there should be a regular rotation of the audit firm itself. Nevertheless, the largest U.S. companies change auditors very infrequently. According to the PCAOB s 2011 concept release, auditor tenure was 28 years for the largest 100 companies and 21 years for the largest 500 companies. The debate about mandatory rotation may also have spawned an increase in shareholder activism related to auditor independence. Since the PCAOB concept release, shareholder proposals have sought to require companies to adopt a rotation policy, or to require audit committees to make certain disclosures about independence, including whether they have such a policy. In 2013, the Council of Institutional Investors updated its corporate-governance policies to provide that audit committees should consider rotating auditors even in the absence of egregious reasons. 4 KPMG, 2015 Global Audit Committee Survey, available at pdf/2015/2015-global-audit-committee-survey.pdf. 5 See, e.g., Risk Assistance Network and Exchange with W. Barry, C. Dodge, M. Mann and J. Wareham, Navigating the SEC s New Guidance on Whistleblower Reporting, (Aug. 20, 2015), available at RANEView_Whistleblower-Reporting_Aug _F.pdf. 6 The European Union enacted legislation requiring audit-firm rotation in WINTER 2016 PROMONTORY Sightlines 19

22 Deficiencies in Audits of ICFR Of all integrated audits inspected, percentage in which inspections staff identified deficiencies in auditing internal control over financial reporting that resulted in an insufficiently supported audit opinion. Source: Public Company Accounting Oversight Board % % % % ONE-TWO PUNCH FROM SEC, PCAOB This summer, both the SEC and the PCAOB have plunged into the debate over the audit committee s role. Their actions could have far-reaching implications for audit committees and the companies they serve. The SEC s July 2015 concept release contemplates comprehensive changes to existing requirements for audit-committee reporting to shareholders. In addition to tenure, disclosure items under consideration include: Whether and how the audit committee assesses the auditor s objectivity and professional skepticism The audit committee s rationale for selecting or retaining the auditor Information about accounting firms other than the company s principal auditor that participated in the audit The audit committee s review of and discussion about the auditor s latest PCAOB inspection report Regardless of whether the concept release progresses towards rule-making, the breadth of the requirements under consideration makes it clear that audit committees are under intense scrutiny. The PCAOB is upping the ante on the audit committee s oversight of the auditor, too. Charged with regularly inspecting public-company auditors, it has a common interest with audit committees in audit quality. In May 2015, it shared with audit committees some key items of concern in inspections of large audit firms through a document called the Audit Committee Dialogue. The dialogue identifies the audit deficiencies most frequently identified by PCAOB inspectors: internal control over financial reporting; risk assessment; estimates; and referred work in cross-border audits. It also lists emerging risks the PCAOB is monitoring 7 and poses questions audit committees ought to consider asking their auditors. Two general themes emerge from the May 2015 dialogue: Large, multinational audits present significant coordination and other risks. Audit committees should focus on whether the audit plan has been appropriately updated and tailored to reflect the varied risks of material misstatement across the company s 7. These are: an increase in mergers and acquisitions, falling oil prices, undistributed foreign earnings, and maintaining audit quality while growing other business. 20 PROMONTORY Sightlines WINTER 2016

23 locations. In addition, auditors often depend on other accounting firms typically local affiliates of the firm signing the audit report to audit subsidiaries or business operations in other jurisdictions. Audit committees may want to focus on how the auditor oversees the work performed by these firms and coordinates its integration with the rest of the audit. Audit committees may also want to consider how the auditor ensures that the work of other firms is of high quality. Significant, unusual transactions present opportunities for accounting and auditing mistakes. A significant acquisition can result in the need for adjustments to the audit plan, including to the scope of the audit and the auditor s materiality assumptions, as well as the testing of internal control over financial reporting. Audit committees should consider how the auditor plans to adjust the audit to reflect any significant, unusual transactions that occurred during the fiscal year. While the dialogue provides a useful window into recurring problem areas in actual audits, it is necessarily limited by the scope of the PCAOB s statutory authority, which covers registered public-accounting firms but does not extend to audit committees. The dialogue does not, for example, include guidance for audit committees in carrying out their more basic responsibility for appointing the auditor. In that area, some suggestions may be gleaned from the SEC s recent concept release. Audit committees should: Ensure that the process for appointing or retaining the auditor is rigorous. While there are some requirements related to the appointment and retention of the auditor, audit committees are, for the most part, free to develop a process that best works for them. Whatever the process, audit committees should ensure that it is geared toward retaining an auditor with the competence, objectivity, and professional skepticism necessary to provide an independent check on the company s financial statements. Keep the big picture in mind when evaluating auditor independence. The SEC auditor-independence rules are notoriously detailed and complex, and include numerous definitions and exceptions. Focusing on the specific requirements is important, but audit committees should not lose sight of the more basic test of an auditor s independence, which asks whether a reasonable investor would conclude that the accountant is capable of exercising objective and impartial judgment in the audit. The reasonable investor rule may be particularly useful in weighing the benefits of the auditor s familiarity with the company against the risks to independence that familiarity may pose. Finally, focusing on the composition and conduct of the audit committee itself may yield significant benefits. For example: Make sure that the audit-committee financial expert is a financial expert. As audit-committee workloads expand, accounting rules become more complex, and regulatory expectations increase, having the right people on the audit committee is more critical than ever. Former audit partners and CFOs are often a good choice to provide needed expertise. Audit committees should also ensure that all of their members meet minimum requirements, including those related to independence. Conduct an annual evaluation to shore up any weaknesses. NYSE-listed companies are required to provide an annual performance evaluation of the audit committee, but all audit committees can benefit from a yearly review. A properly conducted evaluation of the audit committee s effectiveness can identify any problem areas and allow them to be remediated. WINTER 2016 PROMONTORY Sightlines 21

24 Seek outside assistance as appropriate. Audit committees have broad responsibilities and limited time. While the time commitment may be increasing, one recent survey found that 64% of audit committees annually spent 100 hours or less on audit-committee responsibilities and 43% spent 50 hours or less. Somewhat unusually for a federal statute, Sarbanes-Oxley requires companies to provide audit committees with the authority and funding to engage outside advisers. As workloads expand and regulatory and enforcement efforts increase, audit committees should consider seeking outside assistance especially when issues arise that are particularly complex or that may be outside the expertise of committee members. Conclusion While audit committees have been subject to federal regulation since the enactment in 2002 of the Sarbanes-Oxley Act, a convergence of factors including a greater emphasis on corporate governance generally has elevated their relevance in recent years. As the requirements come into sharper definition, the risks from failing to meet them are increasing. Public companies are responding by assessing whether the strength and engagement of their audit committees are equal to the scrutiny and interest of regulators and investors. ABOUT THE AUTHORS Jake Lesser is a director at Promontory, where he advises clients on securities-related regulatory, compliance, and enforcement issues. He was previously associate general counsel at the Public Company Accounting Oversight Board. Conway Dodge is a managing director at Promontory, where he advises financial institutions, corporate boards, and private and public companies on all aspects of securities-related regulatory, compliance, and enforcement issues. He was previously an assistant director in enforcement at the Securities and Exchange Commission. Didem Nisanci is a managing director at Promontory. She provides a wide range of financial and regulatory advisory services and has significant experience overseeing broad initiatives regarding policy, legislation, and other strategic issues. She was formerly chief of staff at the Securities and Exchange Commission. 22 PROMONTORY Sightlines WINTER 2016

25 BY JEFF GLIBERT Banks Energy Lending Comes under Review A version of this article originally appeared as a Promontory Insights on September 24, Jeff Glibert Managing Director Banks are reviewing their loans to oil and gas companies, as the latter face strain from a sharp and sustained fall in energy prices and regulators are noting their concern over the credit quality of lenders energy portfolios. Oil prices have fallen substantially in the last year and a half, over concerns about a supply surplus and China s economic slowdown, and prices may not recover significantly in Energy companies particularly companies rated below investment grade have come under stress, and many of these firms have responded by cutting costs and reducing staff. Some have also sought out private-equity investments and/or sold land, mineral rights, and other assets. Sustained low prices have placed banks energy-loan portfolios under stress. The price decline affects any large lender to the energy sector, including regional and international banks. Banks typically provide reserve-based lending to small and midsize exploration and production companies lending that involves understanding how firms allocate their interests, reserves, and cash flows within the capital and ownership structure. Banks that finance oil and gas exploration, development, and production assume the risk associated with borrowers ability to find and extract reserves and deliver the product profitably to market. Repayment is subject to several risks, such as those tied to weather conditions, commodity-price volatility, changing government regulations, geopolitics, and labor shortages. Asset-quality risks can also arise from reduced liquidity in the bank-loan and capital markets and borrowers use of leverage. The 2015 Shared National Credit Program conducted by the Office of the Comptroller of the Currency, Federal Deposit Insurance Corp., and Federal Reserve focused on energy exposures that may result in matters requiring attention around asset quality and effectiveness of practices. The OCC s spring 2015 Semiannual Risk Perspective also highlighted examiners concerns about banks direct and indirect exposure to energy companies beset by low and volatile commodity prices. 1 The OCC in 2014 issued guidance for national banks on managing risks associated with lending to exploration and production companies. Asset-quality concerns over current low oil prices have intensified the recent regulatory scrutiny. Key Questions Banks should answer several questions about current and potential risks in their energy portfolios: Have banks revised their risk appetite and concentration limits to reflect current low energy prices? Do regulatory and internal risk ratings reflect current stresses? Is the process for workouts well-defined and working appropriately? Do reserving and impairment charges reflect the current environment? 1 WINTER 2016 PROMONTORY Sightlines 23

26 Asset-Quality Approach Reserve-based lending is directly tied to the price of oil or gas through a type of lending structure called a borrowing-base mechanism. Lenders of all types regional or multinational engage in reserve-based energy lending, but borrowers in these transactions tend to be small and midsize producers. Credit evaluations will differ for loans to larger, higher-rated producers which tend to have BB or investment-grade credit and more asset diversity and are not dependent on borrowing-base loans. Banks should consider the degree of risk correlation in their energy portfolios (e.g., by pricing, geography, and dependence on capital spending). Borrowing-base loans are largely standardized by banks credit policies and procedures and market practices. Common features include predetermined advance rates against reserve categories and asset-coverage tests. There are other aspects unique to reserve-based lending and individual oil and gas borrowers, including stress-scenario analysis, commodity-hedging strategies, and documentation standards. Lenders may also be senior-secured or exposed at other levels in the capital structure (e.g., second lien and mezzanine). The analysis required to determine the quality and likely path to repayment for a reserve-based oil and gas loan should take into account borrowing-base sizing, liquidity, and financial flexibility. Liquidity Borrowing Base Financial Flexibility 1. Borrowing Base Twice a year (typically on March 1 and Oct. 1), reserve-based lenders do a redetermination, which involves recalculating how much oil and gas companies can borrow, given how much the companies already have, what they have hedged, and expected oil and gas prices. Borrowing-base analysis is used to understand the loan-to-value ratio and predict whether the next redetermination will produce a size reduction that could trigger covenants to pay down the loan to the new availability level. The current redetermination is generally expected to reduce loan availability for most oil and gas borrowers, creating increased liquidity stresses. The next borrowing-base redeterminations will hit small and midsize exploration and production companies harder than larger companies, as smaller companies tend to rely more heavily on bank debt. Also, the analysis provides insight into the likelihood of reserve restatements/write-downs that could lessen liquidity and access to capital. Realized Commodity-Price Assumptions: Should consider base and downside forward-price decks, location basis, quality basis, and price and basis hedging. Capital Spending: Includes detailed drilling and other capital-program sizing and timing, assessment of necessary expenditures to maintain cash flow, degree of certainty that funding will be available, track record, and degree of control (i.e., whether an operator or not). Reserve Classification: Should review underwriting haircuts to determine discounted reserve value (i.e., discounted cash flow of projected cash flow after debt service) based on reserve classifications (i.e., proved developed producing, proved developed nonproducing, and proved undeveloped). 24 PROMONTORY Sightlines WINTER 2016

27 Engineering: Should review reserve risking based on geology and data quality, production volumes under price scenarios, type and quality of decline curve and cost data, fixed and variable development and lifting costs, and evaluation of differences, if any, between reserve estimates by the bank and company engineers. Should also determine whether the experience and independence of the in-house engineering function are consistent with recent guidance from the OCC and other regulators. Other Model Standards: Should include asset-coverage tests (i.e., net present value of cash flow available for debt service over proved reserves), discount rate, and roll-forward reserve production, among others. These tests are contained in risk-acceptance criteria and/or engineering standards. Other Diligence: Analysis should also confirm off-take and processing capacity, transportation constraints, environmental diligence, management s track record and capability, and operational experience (and financial and performance due diligence on third-party operators). The analysis should also consider actions detrimental to the priority of the bank s lender class actions that may affect the standard base or stress-forecast scenarios used in the discounted cash flow. 2. Liquidity Liquidity analysis helps in understanding sources of capital spending and ability to service debt and downsize the reserve loan as needed under base and stress scenarios. Borrowing-Base Sizing: Should review the borrowing-base sizing and availability at the current and upcoming redeterminations. The maturity of the underlying facility should also be considered, as refinancing may be difficult. Structure of Covenant to Resize: Analysis should determine the amount of time a borrower has to affect the pay-down and the constraints following a borrowingbase downsizing that reduces availability below the drawn amount. Access to Liquidity and Covenant Requirements: Should determine availability of funds to meet required payments from committed or other sources a critical consideration with current low prices. Assessments of downside scenarios and the ability to meet liquidity covenants may warn of liquidity issues. 3. Financial Flexibility This analysis should assess financial strategy and flexibility of the overall operational needs, including access to external sources, and review the borrower s options for addressing financial stress and ability to execute these alternatives. Asset Sales: Analysis should review the attractiveness of assets, market demand, transaction valuations, and buyer funding for an acquisition. Ability to Finance Elsewhere in the Capital Structure: Analysis should review public equity, private equity, various forms of second-lien debt, and sale of royalty interests and production payments. Capital and Operational Spending Flexibility: Analysis should review the impact on operating cash flow and access to capital. Management Ability to Execute: Evaluation determines whether management can execute financing alternatives and the drilling plan. WINTER 2016 PROMONTORY Sightlines 25

28 Conclusion Banks should take early and concerted action in carrying out thorough asset-quality reviews of their loans to energy companies. Lenders that do so can meet their regulatory, shareholder, and board expectations for sound risk management and also place themselves in a strong position to benefit from any future upswing in oil and gas prices. ABOUT THE AUTHOR Jeff Glibert is a managing director at Promontory and advises clients on risk management issues, with a focus on credit and counterparty, enterprise, and regulatory risks. He has more than 35 years of risk management experience, having served as global head of credit risk management for Lehman Brothers and spent 27 years at Bankers Trust Co. 26 PROMONTORY Sightlines WINTER 2016

29 The New ORSA Regime for US Insurers: Report Preparation and Attestation BY LISA MEGEASKI This article originally appeared as a Sightlines InFocus on July 22, Lisa Megeaski Director U.S. insurers must soon meet new reporting requirements that will give their regulators and themselves a better view of their risk management standards and ability to weather a crisis as well as meet their longer-term business strategy. The regime also requires senior management to attest to the accuracy of the report and in effect be held responsible for its completeness and accuracy. The Risk Management and Own Risk and Solvency Assessment Model Act, which the National Association of Insurance Commissioners adopted almost three years ago, has passed into law in 29 1 states and will apply to insurers this year. The act, in concert with broader initiatives by state regulators, will reshape regulation of U.S. insurers and modernize their capital, governance, and risk management requirements. The new regime will also better align U.S. regulation with standards set forth by the International Association of Insurance Supervisors, which has required ORSAs for many years. Nearly 30 insurers from the life, property-and-casualty, health, and title sub-industries, as well as reinsurers participated in the NAIC s pilot ORSA program. And in states that have already adopted the ORSA requirement, insurers have begun carrying out their first official ORSAs, which are internally led assessments aimed at improving enterprise risk management (ERM) and offering a groupwide view of insurers risk and capital levels that supplements the traditional legal-entity view. 2 Insurers covered by the law must conduct ORSAs regularly and file at least one ORSA summary report annually with their domiciliary commissioner, or lead state commissioner in the case of insurance groups operating in multiple states. 3 The ORSA summary report includes three major sections: 1. Description of the Risk Management Framework A summary of the insurer s risk management framework through five key principles: risk culture and governance; risk identification and prioritization; risk appetite, and tolerances and limits; risk management and controls; and risk reporting and communication. 2. Assessment of Risk Exposures A quantitative assessment of risk exposure, in both normal and stressed environments, for each material risk category. 3. Group Assessment An assessment of capital adequacy, and the availability of group risk capital to meet the insurer s current needs and longer-term strategy. 1 As of May 20, 2015, 29 states had adopted the ORSA requirement. See: solvency_150710_materials.pdf 2 Ibid. 3 U.S. insurers with more than $500 million of direct written or assumed premium, or insurance groups that collectively write more than $1 billion of direct written and assumed premium, are subject to the ORSA reporting requirement. WINTER 2016 PROMONTORY Sightlines 27

30 A Guide to Writing Your ORSA The ORSA is much more than a drafting exercise. Regulators have expectations reflected in the guidance previously issued by the NAIC and many state regulators for insurers risk measurement, management, and governance, as well as their risk capital. The ORSA is a firm s chance to describe the quality of its risk and governance systems, and will aid state regulators in determining the extent of a firm s compliance with those expectations. The NAIC s recent Financial Analysis Handbook offers directors and senior managers draft guidance on how state examiners will approach the evaluation of ORSA summary reports. These reports will in turn guide state regulators in defining the scope, depth, and timing of their risk-focused analysis and examination procedures. The insurance companies that submitted pilot ORSA reports have already begun shaping future ORSA standards (and given themselves a lengthy head start for when their reports become compulsory). These pilot submissions have helped the NAIC draw up specific recommendations based on the strengths and shortcomings of the unofficial reports it has reviewed. SECTION 1 RISK MANAGEMENT FRAMEWORK The NAIC has defined a risk management framework along five key principles that an insurer will need to describe in its ORSA summary report. An insurer describing its risk management framework will also want to be cognizant of the approach state examiners will use to review a firm s ORSA processes. 1. Risk Culture and Governance Governance structure that clearly defines and articulates roles, responsibilities, and accountabilities; and a risk culture that supports accountability in risk-based decision-making. 4 Firms must make sure that this section of the report includes: Delineation of roles and responsibilities for risk activities of the firm and the outline of a governance structure that provides independent risk management and oversight. Many financial services firms have adopted a three-lines-of-defense model for their governance structure. 5 A demonstration of how an insurer s job descriptions and performance evaluations show accountability for risk and compliance values and how compensation plans do not encourage inappropriate risk-taking. A description of an insurer s risk and compliance training as one element that demonstrates a robust risk culture. 2. Risk Identification and Prioritization Risk identification and prioritization process is key to the organization; responsibility for this activity is clear; the risk management function is responsible for ensuring that the process is appropriate and functioning properly at all organizational levels. 6 This portion of the report should address key issues about risk identification and prioritization: Outlining major risks an insurer faces and how they are monitored and tracked within the organization. 4 NAIC ORSA Guidance Manual 5 The three-lines-of-defense organizational model generally comprises a first line that has day-to-day responsibility for risk-taking and management; a second line that consists of risk management, compliance, and actuarial areas and provides independent oversight and challenge; and a third line, audit, which provides independent assurance and review. 6 NAIC ORSA Guidance Manual 28 PROMONTORY Sightlines WINTER 2016

31 Demonstrating the incorporation of risk evaluations and severity assessments into tools and models that support decision-making. Showing the involvement of risk professionals in providing evidence of challenge and ensuring that risk exposures are complete and include consideration of all major risk categories. 3. Risk Appetite, and Tolerances and Limits A formal risk-appetite statement, and associated risk tolerances and limits are foundational elements of risk management for an insurer; understanding of the risk-appetite statement ensures alignment with risk strategy by the board of directors. 7 This section answers questions about risk appetite, and tolerances and limits: The firm needs to adopt a risk-appetite statement. This statement should align with the firm s risk strategy and ensure that the insurer maintains its required capital standard. An insurer should list its major risk exposures and include consideration of all major risk categories. While an insurer will normally evaluate risks along the categories of credit, market, liquidity, operational, and underwriting, other risk types such as strategic, legal, or reputational should be factored into the assessment of its ERM framework. 4. Risk Management and Controls Managing risk is an ongoing ERM activity, operating at many levels within the organization. 8 The risk management system of an insurer comprises all strategies, policies, 7 Ibid. 8 Ibid. AREAS OF FOCUS WITHIN THE FIVE KEY PRINCIPLES IN A RISK MANAGEMENT FRAMEWORK Risk Culture and Governance Risk Reporting and Communication Risk Identification and Prioritization Risk Management and Controls Risk Appetite, and Tolerances and Limits WINTER 2016 PROMONTORY Sightlines 29

32 processes, and controls for identifying, assessing, monitoring, managing, and reporting risks to which the insurer may be exposed at a legal-entity and groupwide level. The section on risk management and control should demonstrate: The insurer has an ERM policy in place that provides a framework for the oversight and management of risks. There are well-explained risk management policies that govern key business activities, provide clarity on the level of risk tolerance, and outline roles and responsibilities within the organization. Reporting and escalation protocols are in place when risk levels exceed established tolerance levels. Internal audit regularly tests risk management processes to ensure they are working as intended and to identify any weaknesses or gaps in controls. 5. Risk Reporting and Communication Provides key constituents with transparency into the risk management processes and facilitates active, informal decisions on risk-taking and management. 9 Effective risk management relies on the quality of the risk information it draws on to measure and define risk and guide management s decision-making. The section on risk reporting and communication should show: The quality of the insurer s risk reporting is sufficient to provide senior management and the board with relevant information on the insurer s risk profile. The quality of the underlying data has been tested and verified with reporting information. Risk information is reported on a regular and timely basis. An insurer can document its oversight and review of its risk activities. 9 Ibid. The Maturity-Scale Framework The NAIC draft financial analysis handbook has prescribed the Risk Management Society s Risk Maturity Model, in assessing an insurer s ERM practices. These guidelines provide a continuum of risk rankings as follows: Leadership firms are at the leading edge of risk management practices. They are firms at which strategic planning and capital allocation and other sound business processes are firmly embedded and used in day-to-day decision-making. Risk limits and early-warning systems are already in place to identify risk management breaches, which when identified require immediate corrective action from the board and management. Insurers that receive the Managed grade have advanced risk management capabilities, coordinate risk management across business areas, and use common tools and processes to aid in enterprisewide risk identification, monitoring, measurement, and reporting. Repeatable firms are those in which the risk management processes are in place and operated in a timely, consistent, and sustained way, but where management and the board must take action to address issues related to high-priority risks. Firms deemed Initial have implemented risk management processes, but those processes may not be operating consistently and effectively; and risks are defined and managed in silos, rather than in a consistent manner across the organization. Insurers that receive the Ad hoc grade have risk management processes that are neither developed nor documented. They also exhibit an over-reliance on individual staff members to identify, monitor, and manage risks. The Nonexistent grade is given to insurers that have not recognized a need for risk management and whose risks are not directly identified, monitored, or managed. 30 PROMONTORY Sightlines WINTER 2016

33 SECTION 2 INSURERS ASSESSMENT OF THEIR RISK EXPOSURES [Section 2 provides a] high-level summary of the quantitative assessment of risk exposure in both normal and stressed environments for each material risk category outlined in Section 1. The assessment process should consider a range of outcomes using risk assessment techniques that are appropriate to the nature, scale and complexity of the risks. Key considerations when writing this section: The scope of the quantitative assessment is well defined, with the insurance products and legal entities covered in the report placed in an organizational chart. Demonstrating that the assessment and modeling techniques are in line with industry best practice and that any models used are subject to appropriate model governance and independent validation. Reviewing the confidence level and time horizon used in the ORSA process. The board may decide to use a higher confidence level in the ORSA for business purposes than what is required via minimum standards for regulatory purposes. The results of the stress scenarios should indicate that the insurer has a plan and/ or available resources to appropriately mitigate any potential outcomes arising from the risks. The absence of such a plan and resources needs to be addressed in the ORSA summary report. The firm s internal models should cover the major risks. If they do not, then the insurer should explain how material risks are covered outside of the model. SECTION 3 GROUP ASSESSMENT OF RISK CAPITAL AND PROSPECTIVE SOLVENCY ASSESSMENT Section 3 of the ORSA requires that the insurer s prospective assessment of group capital is based on and fully reflects the firm s business strategy. The company s prospective solvency assessment should demonstrate that it has the financial resources to execute its multiyear business plan. Insurers should consider the following: Review the results of the assessment and ensure that the insurer has sufficient capital to carry out its strategy. An insurer without sufficient capital should document how it will close this gap. Provide clarity on the methodology and assumptions used in the assessment and demonstrate that the methodology and assumptions are realistic, supportable, and appropriate to the scale and complexity of its business. An insurer should state how intragroup transactions are handled and what assumptions are made on the internal transferability of capital to support the legal entities of the group. What time horizon is used in the model? Regulators have not prescribed a standard and leave this to a firm s management to decide. Do the conclusions gained from the group assessment lead to any revision or reconsideration of group strategy? If so, can the insurer outline its remediation strategy? The results of the stress scenarios should indicate that the insurer has a plan and/or available resources to appropriately mitigate any potential outcomes arising from the risks. The absence of such a plan and resources needs to be addressed in the ORSA summary report. The firm s internal models should cover the major risks. If they do not, then the insurer should explain how material risks are covered outside of the model. WINTER 2016 PROMONTORY Sightlines 31

34 Attestation Requirement Finally, the ORSA regime requires an insurer s chief risk officer or other executive with responsibility for ERM oversight to attest to the application of the ERM process as described in the report, and to provide a copy of the report to board directors. An insurer should consider what elements of internal controls should be in place to support the ORSA attestation condition, perhaps using as an example Sarbanes-Oxley Act executive certifications of financial reports. Conclusion The regulatory onus now rests squarely on executives and directors, who must ensure the information contained in ORSA summary reports is complete and demonstrates the strength of a firm s ORSA process. An effective report must answer fundamental questions that relate to an insurer s risk management, governance, and financial strength. Directors and senior management should review interim reports, provide feedback, and document their review, before final approval and attestation, and challenge results as an essential part of their responsibilities. Internal audit should also provide an independent review and report to the board. The ORSA process should then be incorporated into the board s regular reporting and strategic-planning process. ORSAs are not mere regulatory exercises, but important tools that senior managers and directors can use to oversee their firms business strategy and ERM frameworks. An ORSA, properly carried out, informs and contributes to the management of the business, strategic decisions, and operational and risk management processes. ABOUT THE AUTHOR Lisa Megeaski is a director at Promontory. She advises insurance companies and banks on risk management, corporate governance, and risk reporting and disclosure. 32 PROMONTORY Sightlines WINTER 2016

35

36 Global Offices NORTH AMERICA EUROPE Atlanta Denver New York Brussels Dublin London Toronto San Francisco Washington, D.C. ASIA Madrid Milan Paris Beijing Hong Kong Singapore Tokyo MIDDLE EAST AUSTRALIA Dubai Istanbul Sydney Sightlines Promontory Financial Group, LLC th Street, NW, Suite 1100, Washington, DC Telephone Promontory Financial Group, LLC. All Rights Reserved. Fax promontory.com